knowledge base for the linux kernel ashvin goel university of toronto progress report for the...
TRANSCRIPT
Knowledge Base for the Linux Kernel
Ashvin GoelUniversity of Toronto
Progress report for the Advanced Host Level Surveillance (AHLS) project
Dec 10, 2013
2
Motivation
Goal is to detect attacks on operating system kernels
Protect kernel against vulnerable modules E.g., module calls unexported function, overwrites kernel
stack
Detect anomalous behavior of malicious modules E.g., sound module calls exported network send function
Requires understanding module behavior What modules do What they should be allowed to do
3
Approach
Instrument all module related code at runtime using dynamic binary translation (DBT) Rewrite binary module code on-the-fly during execution
Operates at instruction granularity Provides complete control over program execution
Requires no module sources to be available Building a system called Granary
Two key ideas Add module and kernel interface wrappers
Allows mediating all control transfers between kernel and modules Verify memory accesses by modules using watchpoints
Allows mediating all data accesses by modules
4
Overview of Granary
Add kernel and module wrappers and watchpoints Granary starts at module wrapper Granary stops at kernel wrapper Minimal overhead when kernel is
running
Wrappers allow adding arbitrary integrity checking instrumentation code
Watchpoints allow instrumenting data accesses
KernelGranar
y
Untrusted modules
Application Application
Untrusted modules
Module wrapper
Kernel wrapper
enter exit
Instrumented codeData watchpoint
5
Instrumenting Data Accesses Goals
Require flexible, powerful data-centric instrumentation
Requirements Allow instrumenting typed objects (not bytes of memory) Low overhead Scale to millions of objects
6
Approach
Address watchpoints Instrument data accesses by mangling memory addresses Triggers the invocation of a type-specific function when
watched memory address is dereferenced to access object
Example When a module (e.g., a file sytem module) accesses any
inode, an inode-specific watchpoint function is invoked
7
Benefits of Approach
Support millions of object-granularity watchpoints Addresses limitations of h/w watchpoints
Enables selective instrumentation Data selectivity
Type specific Allocator specific
Code selectivity kernel code vs. module code Single thread, function Context specific, e.g., in a critical section
8
Watchpoint Applications
Detecting buffer overflows Detecting read-before-write bugs, double free bugs Detecting memory leaks using garbage collector Debugging usage bugs, e.g., RCU bugs Enforcing fine-grained memory access policies
9
Design of Address Watchpoints Taint memory addresses that point to objects
Relies on x86-64’s 48-bit address implementation
Taint in the address indexes metadata stored in a global object descriptor table Embeds context-specific information, such as object type
0xFFFF FFFFA0092600
0x7654 FFFFA0092600
Index into object descriptor table
10
Achieving Data Selectivity
Tainted addresses are “non-canonical”, which enables data selectivity
Approach 1: Take a trap and turn on instrumentation
Approach 2: Instrument every load/store operation with DBT and detect tainted addresses
11
Achieving Code Selectivity
Different instrumentation policies for different execution contexts E.g. heavyweight instrumentation inside a critical section,
lightweight outside
Switch between policies Granary enables instrumentation code specialization at
runtime
12
Using Address Watchpoints
Example: use a function wrapper to add watchpoint on dynamically allocated memory
FUNCTION_WRAPPER(__kmalloc,(size_t size, gfp_t gfp),{ void *ret = __kmalloc(size, gfp); if(is_valid_address(ret)) { add_watchpoint(ret, size); } return ret;})
13
Using Address Watchpoints
Example: use a function wrapper to add watchpoint on dynamically allocated memory Developer identifies address sources (e.g. allocators)
FUNCTION_WRAPPER(__kmalloc,(size_t size, gfp_t gfp),{ void *ret = __kmalloc(size, gfp); if(is_valid_address(ret)) { add_watchpoint(ret, size); } return ret;})
14
Using Address Watchpoints
Example: use a function wrapper to add watchpoint on dynamically allocated memory Developer identifies address sources (e.g. allocators) Specifies object metadata for descriptor
FUNCTION_WRAPPER(__kmalloc,(size_t size, gfp_t gfp),{ void *ret = __kmalloc(size, gfp); if(is_valid_address(ret)) { add_watchpoint(ret, size); } return ret;})
15
Using Address Watchpoints
Example: use a function wrapper to add watchpoint on dynamically allocated memory Developer identifies address sources (e.g. allocators) Specifies object metadata for descriptor Adds watchpoint to address
FUNCTION_WRAPPER(__kmalloc,(size_t size, gfp_t gfp),{ void *ret = __kmalloc(size, gfp); if(is_valid_address(ret)) { add_watchpoint(ret, size); } return ret;})
16
Runtime Execution
Trap on watched, non-canonical address
Native Code(no DBT)
Load ALoad B
17
Runtime Instrumentation
Trap on watched, non-canonical address Turn on instrumentation
Native Code(no DBT)
Load ALoad B
Instrumented Basic BlockCheck if A is tainted Call Analyze(A)Load Untainted(A)Check if B is tainted Call Analyze(B)Load Untainted(B)…
18
Runtime Instrumentation
Trap on watched, non-canonical address Turn on instrumentation
Native Code(no DBT)
Load ALoad B
Instrumented Basic BlockCheck if A is tainted Call Analyze(A)Load Untainted(A)Check if B is tainted Call Analyze(B)Load Untainted(B)… Back to native code
19
Evaluation
Goal: Measure CPU overhead of selective instrumentation
Preliminary evaluation with a microbenchmark Data-centric instrumentation on objects primarily accessed
by the Ext3 file system module
Ran iozone file system benchmark We mounted Ext3 file system on a 2 GB ramdisk Buffer cache disabled
20
Watched roughly 30% of all object accesses to Ext3 allocated objects
8% average overhead
Native executionAddress Watchpoints
21
Current Status
Building a system for Linux called Granary that Instruments arbitrary, binary Linux kernel modules Uses type-specific wrappers for interposing on all code
crossing the kernel/module boundary
Granary uses address watchpoints for interposing on data accesses Enables highly selective code+data-centric instrumentation
Preliminary evaluation shows low overhead Leverages instrumentation selectivity Tainted addresses are easy to detect
22
Future Work
Improvements in instrumentation performance Faster watchpoints Faster instrumentation tools
Build watchpoint-based tools Working on detecting 1) buffer overflows, 2) use-after-free
bugs, 3) uninitialized read, 4) memory leaks, 5) RCU bugs …
Understanding module behavior Is the module passing arguments or returning values of wrong type? What data is owned/can be modified, referenced, called by modules What functions can the kernel call on behalf of modules?
23
Thanks!
Questions